The December 2021 compliance deadline looms near. Has the Covid-19 pandemic and lack of additional guidance paused your institutions’ focus on compliance?
If so, now is the time to re-evaluate outsourcing policies to ensure compliance, updating template contracts and documents accordingly and consider all of your organisation’s supplier arrangements to establish whether they fall within the Guidelines and if contractual documents need to be updated.
Firms in the financial services sector and their suppliers should now be used to dealing with the European Banking Authority’s guidelines on outsourcing (Guidelines), which came into force for new contracts in September 2019.
Although the Prudential Regulatory Authority (PRA) released its consultation paper on the Guidelines in December 2019, the submission deadline was extended due to Covid-19 and it closed in October 2020. The PRA has yet to publish the findings and outcomes of the consultation process, which may be subject to further consideration regarding the impact of the UK’s departure from the EU.
Whilst the Guidelines have been in force since 2019, the Covid-19 pandemic and the delay in the PRA providing additional practical guidance has paused or had an impact on many institutions’ focus on resolving and addressing outstanding compliance issues.
The December 2021 compliance deadline has not gone away and institutions still need to ensure they comply with the Guidelines by this deadline. Interestingly our experience so far has been that institutions have taken different approaches to compliance. Some are re-negotiating all contracts, preparing additional addendums to roll out to multiple suppliers; and others focusing only on compliance in relation to new contracts.
As a reminder, the Guidelines are intended to be an update to the existing regulatory regime for banks when outsourcing functions, as set out in SYSC8 and MiFID II, as well as building on existing guidelines for outsourcing services to the cloud. The Guidelines have been produced following increasing interest from the European and UK regulators on how banks and other financial services firms use and rely on IT and digital services in an increasingly complex technology landscape.
The Guidelines set out the expectations on banks in several areas, which are:
- The pre-outsourcing phase: banks must have clear outsourcing policies to identify what is and isn’t outsourcing, to establish critical and important outsourcing, and to carry out due diligence of suppliers;
- The contractual phase: banks must have written agreements with all suppliers that include specific contractual provisions and protections set out in the Guidelines;
- The operational phase: banks must monitor suppliers on an ongoing basis, keep a register of suppliers and report this to the PRA, and be able to exit the arrangement in an orderly way.
The Guidelines state a number of clear exceptions, but the PRA’s view is that the majority of arrangements with third parties should be considered outsourcing by default. As such, the focus should be on what is critical and important, so that appropriate measures can be taken both contractually and operationally. Intra-group outsourcing is permitted but must be objectively justifiable. It should be subject to arm’s length contractual conditions and a separate sub-set of requirements, particularly where the intra-group outsourcing is to countries outside of the EEA. For full details of the guidelines, please see our webinar here.
What should you be doing now?
You should be re-evaluating your outsourcing policy to ensure compliance, and update template contracts and documents accordingly. You also need to consider all of your organisation’s supplier arrangements (including intra-group arrangements) to establish whether they fall within the Guidelines and if contractual documents need to be updated.
Contracts for outsourced services must be updated now for new agreements. For arrangements that were already in place on or before 30 September 2019, firms should make required changes on renewal and at the latest by 31 December 2021.